Introducing Kvasir

Cisco’s Advanced Services has been performing penetration tests for our customers since the acquisition of the Wheel Group in 1998. We call them Security Posture Assessments, or SPA for short, and I’ve been pen testing for just about as long. I’ll let you in on a little secret about penetration testing: it gets messy!

During our typical assessments we may analyze anywhere between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, buffer/stack overflows, administrative bypasses, and others. We then have to collect and document our results within the one or two weeks we are on site and prepare a report.

How can anyone keep track of all this data, let alone work together as a team? Are you sure you really found the holy grail of customer data and adequately documented it? What if you’re writing the report but you weren’t the one who did the exploit?

The answer is to build a data management application that works for you. The first iterations the SPA team created were a mixture of shell, awk, sed, tcl, perl, expect, python and whatever else engineers felt comfortable programming in. If you remember the Cisco Secure Scanner product (aka NetSonar) then our early tools were this with extra goodies.

Welcome to the 21st Century

As time moved on our tools became unfriendly to larger data sets, inter-team interaction, and support of new data types were difficult. The number of issues detected by vulnerability scanners started to increase and while we have always been able to support very large environments, the edges were starting to bulge.

We don’t believe this scenario is unique to us. We also don’t believe current publicly available solutions really help. Most teams we’ve talked with have used a variant of issue tracking software (TRAC, Redmine) or just let Metasploit Pro handle everything.

We think this isn’t good enough which is why we are releasing our tool, Kvasir, as open source for you to analyze, integrate, update, or ignore. We like the tool a lot and we think it fills a missing key part of penetration testing. It’s not perfect but it’s grown up a lot and will improve.

What’s Kvasir?

Kvasir is a web-based application with its goal to assist “at-a-glance” penetration testing. Disparate information sources such as vulnerability scanners, exploitation frameworks, and other tools are homogenized into a unified database structure. This allows security testers to accurately view the data and make good decisions on the next attack steps.

Multiple testers can work together on the same data allowing them to share important collected information. There’s nothing worse than seeing an account name pass by and finding out your co-worker cracked it two days ago but didn’t find anything “important” so it was never fully documented.

There are obviously some gaps here but these are the primary tools we use. Support for scanners such as Nessus, QualysGuard, SAINT, and others are in various stages of development already, just not completed at this time.

Nexpose and Metasploit Pro Integration

Since the SPA team generally uses Rapid7’s Nexpose and Metasploit Pro Kvasir integrates the use of these tools via their API. We purposefully did not incorporate some features but may have future plans for others.

The importation of Nexpose site reports is fully automated. Just pick a site and let Kvasir generate the XML report, download, and parse it! After parsing, the scan file can be imported into a Metasploit Pro instance.

For Metasploit Pro results you must first generate an XML report but after that is done Kvasir will download and parse it automatically. Kvasir also supports the db_creds output and will automatically import pwdump and screenshots through the Metasploit Pro API.

Metasploit Pro’s automatic Bruteforce and Exploit features can be called directly from Kvasir. Simply select your list of target addresses, click a few buttons, and go take a rest! You’ve earned it!

From Vulnerability to Exploit

So you have a host with a list of vulnerabilities, but what is exploitable? Exploit frameworks such as Metasploit Pro and CANVAS as well as the Exploit Database archive from Offensive Security are mapped to vulnerability and CVE entries granting the user an immediate view of potential exploitation methods. CORE Impact’s list of exploits is being researched for inclusion.

Screenshots!

The initial screen of Kvasir shows two bar graphs detailing the distribution of vulnerabilities based on severity level count and host/severity count as well as additional statistical data:

A tag-cloud based on high-level severities (level 8 and above) is included which may help pinpoint the highest risk vulnerabilities. This is based solely on vulnerability count.

Kvasir supports importing exploit data from Nexpose (Exploit Database and Metasploit) and CANVAS. Link to exploits from vulnerabilities and CVE assignments are made so you can get an immediate glance at what hosts/services have exploitable vulnerabilities:

The host detail page provides an immediate overview of valuable information such as services, vulnerability mapping, user accounts, and notes, all shared between testing engineers:

Of course as you collect user accounts and passwords it’s nice to be able to correlate them to hosts, services, hashes and hash types, and sources:

Exactly: https://code.google.com/p/threadfix/
It would be perhaps better if the 2 project combine time and resources to create 1 good project/tool instead of 2 projects who still have to work on supporting most of the known vulnerability scanners.
(I see that Threadfix got most of them already covered - not OpenVAS yet)
Anyhow, good news that there is a big vendor or someone of a big vendor also looking into this.

Really nice tool, not production ready as threadfix, that we already use, but nice to have a choice! We also sent you some bug reports on https://github.com/KvasirSecurity/Kvasir/issues
Francesco "ascii" Ongaro
www.isgroup.biz / www.easyaudit.org

To be honest I see ThreadFix and Kvasir working towards different overall purposes. There are things we can learn from each other, no doubt, but if you're looking for a comprehensive Vulnerability Management tool by all means Kvasir may not be the right tool at this time.
If you want a quick and adaptive penetration data management tool, that's what Kvasir is all about.

Thank you! I know the documentation is a bit lacking but we're putting a lot of information in the wiki at https://github.com/KvasirSecurity/Kvasir/wiki
I will be giving a presentation at ToorCon about using Kvasir and the slides and recording will be made available.

Looks great but the installation instructions are confusing;
Different here https://github.com/KvasirSecurity/Kvasir
to here https://github.com/KvasirSecurity/Kvasir/wiki/Installation
and even on the wiki installation page they tell you to clone from https://github.com/CiscoSystems/kvasir.git Kvasir and https://github.com/KvasirSecurity/kvasir.git
So clearer instructions (or a VM) would be nice
Other than that keep up the good work and thanks for sharing

Really nice.
I used this on a pentest recently and it's been very useful. I have a few issues that I'd like to submit code to improve - but do you have a rough roadmap for where you are taking the tool - eg user comments?
I want to make sure I'm not coding something that you are already working on :)

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.